Summary

Root cause

1. lib/pkce/pkce.js (getHashForCodeChallenge) only checks that verifier is a non-empty string before hashing for S256; it does not enforce RFC7636 ABNF (43..128 unreserved chars).
2. lib/grant-types/authorization-code-grant-type.js compares hash(code verifier) to stored codeChallenge without validating verifier format/length.
3. In AuthorizationCodeGrantType.handle, authorization code revocation happens after verifier validation. Invalid guesses fail before revoke, so the same code can be retried repeatedly.

Steps to Reproduce

Setup

• PKCE authorization code exists with:
• codeChallengeMethod = "S256"
• codeChallenge = BASE64URL(SHA256("z")) (verifier is one character, RFC-invalid)
• Attacker has intercepted the authorization code value.

Reproduction

1. Send repeated token requests with guessed code verifier values:

POST /token HTTP/1.1
Host: oauth.example
Content-Type: application/x-www-form-urlencoded

grant type=authorization code&
client id=client1&
client secret=s3cret&
code=stolen-auth-code&
redirect uri=https://client.example/callback&
code verifier=<guess>

2. Observe invalid guesses return invalid grant.
3. Continue guessing (a..z).
4. When code verifier=z, token issuance succeeds and returns bearer tokens.

Confirmed PoC output

BRUTE FORCE SUCCESS { tries: 26, guess: 'z', status: 200, tokenIssued: true }

Impact

Recommended Fix

1. Enforce pkce.codeChallengeMatchesABNF(request.body.code verifier) in authorization code token exchange before hashing/comparison.
2. Reject verifier values outside RFC7636 charset/length (43..128 unreserved).
3. Invalidate authorization codes on failed verifier attempts (or add strict retry limits) to prevent online guessing.